Maintaining Enforce

Perform monthly maintenance tasks to ensure that Enforce successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Enforce is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting Enforce for related procedures.

  1. From the Main menu, go to Modules > Enforce > Overview.

  2. Scroll to the Health dashboard to verify whether Enforce tools are installed and active on all endpoints.
  3. To investigate endpoints that do not have Enforce tools installed, click the number above Not Installed. Tanium CloudThe Tanium Server issues the following question:

    Get?forceComputerIdFlag=1 Endpoint Configuration - Tools Status?ignoreCase=0&maxAge=600 contains Enforce from all machines

  4. To troubleshoot installation issues for Enforce tools, see Monitor and troubleshoot Enforce coverage status (% of total).

Monitor and troubleshoot Enforce coverage status (% of total)

The following table lists contributing factors into why the Enforce coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Incorrect targeting criteria used in computer groups Ensure computers that should be managed by Enforce are included in computer group creation.
Enforce action group is too narrow Ensure computer groups that should be managed by Enforce are included in the Enforce action group.

Monitor and troubleshoot policy enforcement status (% of total)

The following table lists contributing factors into why the Enforce policy enforcement coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Enforce tools are not deployed Ensure computer groups that should be managed by Enforce are included in the Enforce action group.
Domain Group Policy is currently applied Reference the output from enforcement policy status and work with Active Directory team to set conflicting policy items to “Not Defined” in the domain policy.

Monitor and troubleshoot host firewall status on endpoints

The following table lists contributing factors into why the Enforce host firewall metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Host based firewall is not installed Deploy Windows firewall policy.
Host based firewall is not enabled Deploy the Windows firewall policy that enables the Windows firewall for all profiles (Domain, Public, and Private).

Monitor and troubleshoot disk encryption status on endpoints

The following table lists contributing factors into why the Enforce disk encryption metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
No corporate policy mandating full disk encryption is enabled Reference Trends board displayed in Enforce that highlights lack of FDE. Work with security stakeholders to deploy disk encryption policies.
Segments of enterprise don’t have full disk encryption enabled Use drill down questions to explore commonalities between machines that are lacking FDE that should have it in place.
Operating systems don’t support native disk encryption (BitLocker, Filevault) Use Enforce policy status report to determine endpoints that have operating systems but don’t support BitLocker (Windows 10 Home, Windows 7 Pro). Work on endpoint “recap” plan with asset team.
Weak or unapproved encryption is being used Use Enforce policy status report to determine endpoints that have weak encryption enabled. Deploy decryption package and enforce a FDE policy with the correct encryption type.

Monitor and troubleshoot antivirus status on endpoints

The following table lists contributing factors into why the Enforce antivirus metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Third party antivirus product is not installed Deploy anti-malware policy.
Real-time scanning is not enabled Deploy anti-malware policy that enables real-time scanning.
Definition files are not up-to-date Ensure Tanium is downloading Defender definition files from Microsoft.